Building cybersecurity culture: are we locked into “Cyber Autism”?

“The problem is that we have a huge population that suffers from a form
of cyber autism”-

Eh’den Biber.

After a number of serious complaints in recent months, Facebook says that they are all about privacy now. A very recent survey presented at the RSA Conference 2019 claims that data privacy was a top concern for most participants. Out of 4,000 participants, 96% surveyed people stated that they care about their privacy and security.

At the same time, many of the survey participants said that
they did not follow through best practices for data privacy. For example, only
32% read privacy policies or End User License Agreements while only 47% knew
which permissions their apps have. Furthermore, just over 53% of the surveyed have
used password managers.

Do than our cybersecurity campaigns and programmes fail or there might be some other, not frequently discussed causes? Have people forgotten to think critically or they have not been taught to do so? Has cybersecurity awareness anything to do with the ever-increasing amount of information? According to some practical experience, the answer to these questions is: no – or at least, not solely.

As Eh’den Biber, a cybersecurity professional, put it
colourfully: “The problem is that we have a huge population that suffers from a
form of cyber autism. You try to teach them, they forget. They ignore you. They
get into a tantrum. They will exhibit all the symptoms of autism but toward the cyber world”.

Good cybersecurity defence, no doubt, starts with an appropriate
awareness. And awareness starts with changing a life paradigm, changing the
view of the world and changing habits.

“Right now, cybersecurity is the mainstream. Every day there’s something in the news about it. If that doesn’t make people more aware of cybersecurity issues, what will? In my opinion, awareness training is only effective for people who are already up to speed; we all know what people are like. If we need to get over an obstacle in order to achieve a goal, that’s what we’ll do. No amount of awareness training is going to change that”, says Román Ramírez, Spanish cybersecurity expert.

So it seems that we (still) have to strengthen the weakest link in cybersecurity – humans! A recent report states that 65% of the surveyed chief information security officers (CISOs) spend sleepless nights worrying about phishing scams, and 61% of them fear disruption to processes caused by malware.

There are numerous theories on changing human behaviour in
the workplace but all starts with changing organisational culture. This refers to the knowledge, beliefs, perceptions,
attitudes, assumptions, norms and values of people regarding security and how
they manifest themselves in people’s behaviour with information technologies.

Anti-cyber-autism culture

The first things first: changing cybersecurity culture requires
time and effort. And all should begin with the risk assessment. In other words,
there is no effective generic cybersecurity culture.

Yes, all organisations should consider ‘best practice’ such
as promoting cybersecurity culture by securing top management support or
building morale. However, setting achievable and measurable goals for building an
effective cybersecurity culture is not possible without assessing particular
threats, vulnerabilities and associated business risks. This holds for both cybersecurity
of the organisation and privacy of its employees.

Secondly, in today’s complex threat scenery, cybersecurity culture must consider many different technical and organisational factors. Although modern technologies are essential for confronting cyber threats, other factors such as effective and actionable policies, information sharing and user awareness must factor in organisational cybersecurity culture.

Thirdly, in order to improve an organisation’s cybersecurity posture, culture must be built on the premise that it has to be a collective effort that interlinks cybersecurity practices with business operations. This approach should also demonstrate that cybersecurity is not solely the function of often under-resourced IT departments but of the whole organisation. An effective cybersecurity culture ensures that each employee develops a vested interest in protecting the organisation.

Fourthly, accountability and responsibility are also part of
an effective cybersecurity culture. However, these must not be perceived as a means of punishing employees but as
opportunities to strengthen organisational commitment to protecting its informational assets and business operations.

Fifthly, increasingly mobile workforce and work from home
also have an impact on organisational cybersecurity culture. Hence, companies
should enforce and maintain a culture of
acceptable mobile security behaviour.

Finally, in order to build a truly effective cybersecurity culture, an organisation should incorporate the above practices in its own risk assessment and particular security needs. Copy and paste cybersecurity culture will not work. In fact, it might only lead to cyber-autism.

The 2018 Cybersecurity Culture Report from ISACA and CMMI Institute shows that there is still much progress to be made since 95% of global respondents in this survey have identified a gap between their current and desired organisational cybersecurity culture.